Remote Access VPN:
Step1:
Configure the IP addresses on the ASA and laptop as shown
Step2:
Configure the ASA for remote access vpn
Code:
access-list office_splitTunnelAcl standard permit 150.0.0.0 255.0.0.0
access-list outside_nat0_outbound extended permit ip 150.0.0.0
255.0.0.0 172.16.1.0 255.255.255.240
ip local pool vpn-pool 172.16.1.1-172.16.1.10 mask 255.255.255.128
nat (outside) 0 access-list outside_nat0_outbound
group-policy office internal
group-policy office attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value office_splitTunnelAcl
username cisco password cisco
rypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group office type ipsec-ra
tunnel-group office general-attributes
address-pool vpn-pool
default-group-policy office
tunnel-group office ipsec-attributes
pre-shared-key cisco
Verification (only relevant output included)
From the laptop ping 150.1.1.1
!!!!!
Code:
Crypto map tag: outside_map, seq num: 20, local addr: 155.14.0.4
access-list outside_20_cryptomap permit ip 172.16.1.0
255.255.255.0 150.0.0.0 255.0.0.0
local ident (addr/mask/prot/port):
(172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)
current_peer: 155.14.0.1
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp
failed: 0
inbound esp sas:
spi: 0x218BAEDC (562802396)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/3577)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7A91211B (2056331547)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/3575)
IV size: 8 bytes
replay detection support: Y
L2L VPN
Step1:
Configure the IP addresses on the ASA and the Hub router
Step2:
Configure the ASA as follows
Code:
access-list outside_20_cryptomap extended permit ip 192.168.1.0
255.255.255.0 150.0.0.0 255.0.0.0
access-list outside_20_cryptomap extended permit ip 172.16.1.0
255.255.255.0 150.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 150.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0
255.255.255.0 150.0.0.0 255.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 155.14.0.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 155.14.0.1 type ipsec-l2l
tunnel-group 155.14.0.1 ipsec-attributes
pre-shared-key cisco
Step2:
Configure the hub router as follows
Code:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 155.14.0.4
crypto ipsec transform-set l2l-trn esp-3des esp-sha-hmac
!
!
crypto map l2l-map 10 ipsec-isakmp
set peer 155.14.0.4
set transform-set l2l-trn
match address 101
interface GigabitEthernet0/1
ip address 155.14.0.1 255.255.255.0
crypto map l2l-map
access-list 101 permit ip 150.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 150.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255
Verification(only relevant output included)
From Laptop ping 150.2.2.2
!!!!
Code:
Router
interface: GigabitEthernet0/1
Crypto map tag: l2l-map, local addr 155.14.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 155.14.0.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 155.14.0.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
ASA
Code:
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 155.14.0.4
access-list outside_20_cryptomap permit ip 172.16.1.0
255.255.255.0 150.0.0.0 255.0.0.0
local ident (addr/mask/prot/port):
(172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)
current_peer: 155.14.0.1
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp
failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments
created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#send errors: 0, #recv errors: 0